CN105264819A - Minimal disclosure credential verification and revocation - Google Patents

Abstract

The subject disclosure is directed towards credential verification for accessing a service provider. A user may prove to the service provider the validity of the credential by communicating a non-revocation component that is based upon a prime-order cryptographic group without a bilinear pairing. In order to authenticate the user, a verification mechanism within an identity management system applies private cryptographic data, including a verifier-designated private key to the non-revocation component, which proves that the user's identity and therefore, the credential is not revoked. The presentation proof includes a hash value that is computed using the credential's commitment and the prime-order cryptographic group. By verifying that the hash value was computed using that commitment, the verification mechanism validates the credential and permits access to the service provider.

Description

Minimum disclosure credential verification and cancelling

background

Respectively organize more and more to pay close attention to and identify safely on the internet and access off-line and utilize its service and user of resource, keep the privacy of information to all other men of these users simultaneously.These user authentication and data sharing demand considered, be utilized the new business model of personal information by cost and efficiency and gone fishing, the explosive increase of identity theft and other security threats drive.Traditional mechanism (such as plastic clip and papery voucher) for user authentication and data sharing be expensive, be easy to forge and be difficult to online use.

As a result, exist for software and/or hardware implementing being used to protecting the interest of the quick growth of the mechanism (such as, X.509 certificate) of currency on internet or financial transaction.But these mechanism are restricted, because such as these mechanism can not be used when the information at least partially that non-disclosure is associated with user.During verification procedure, in order to determine that whether voucher is effective, user provides at least some identity data so that certified.In some cases, issuer may be wanted to stop specific user to use the voucher be awarded, such as when this user may no longer include that qualification uses the voucher previously issued, the attribute wherein comprised has become interim or forever invalid or this user violate be associated with this ISP tactful time.Therefore, for the unrepealed user of its voucher, prove that validity can not complete when non-disclosure has the privately owned of the form of one or more attribute and/or security information.This is because attribute itself is used to follow the tracks of reversed voucher.

general introduction

There is provided this general introduction to introduce the selected works of some representative concepts further described in the following detailed description in simplified form.This general introduction is not intended to the key feature or the essential feature that identify theme required for protection, is not intended to use in any way that would limit the scope of the claimed subject matter yet.

In brief, the various aspects of theme disclosed herein relate to the validity that proves minimum disclosure voucher/non-and cancel, and without the need to disclosing the identification information of the user about voucher and/or voucher.In one aspect, non-assembly (be called as the signature that can verify in this article or present proof) of cancelling is by verifying that certain entity/authoritative institution does not cancel voucher and confirms this voucher.These vouchers can refer to multiple term in this article, such as minimum disclosure voucher, security tokens, privacy protection token, anonymous credentials etc.As described in this article, the identity management system based on minimum disclosure voucher allows user evidence voucher not cancelled, and without the need to disclosing any private information, the identity of such as user.

In one aspect, voucher comprises the attribute do not disclosed corresponding to the identity of user be embedded in wherein.Be applied to the non-of attribute do not disclosed corresponding to this by the private cipher key of verifier being specified and cancel proof, verifier's assembly in identity management system determines that whether non-proof of cancelling is that this accumulator represents the reversed voucher of blacklist or effective voucher of white list from accurately and generate up-to-date accumulator.On the other hand, the inquiry that verifier generates is signed by the private cipher key of user's voucher and is returned to verifier for checking.In another, because controversial issue, mistake, identity change and/or invasion etc. can make any voucher invalid before it is expired, cancel authoritative institution for such system update accumulator.

In one aspect, credential verification/cancel is embodied as the part based on the service of cloud, foundation structure and/or platform by identity management system.In one aspect, identity management system provide relate to accumulator to issue, verify and/or cancel relevant service.In one aspect, if use the attribute information do not disclosed of voucher (such as, unique user identifiers) and privately owned code data generate accumulator, then the non-member qualification in blacklist or white list or membership qualification can use this privately owned code data but not the value of attribute is determined.In one aspect, privately owned code data realizes credential authentication, allows user to keep anonymous as described in this article simultaneously.

Read following detailed description in detail by reference to the accompanying drawings, other advantages of the present invention can become apparent.

accompanying drawing is sketched

Exemplarily unrestricted, the present invention shown in the drawings, Reference numeral identical in accompanying drawing indicates same or analogous element, in accompanying drawing:

Fig. 1 explains orally the block diagram according to the example identity management system of one or more example implementation.

Fig. 2 be explain orally according to one or more example implementation for credential verification and the block diagram of exemplary protocols of cancelling.

Fig. 3 explains orally the flow chart for using minimum disclosure voucher to initiate the exemplary step of transaction while keeping anonymity according to one or more example implementation.

Fig. 4 is the flow chart that the exemplary step for controlling the access to ISP is shown according to one or more example implementation.

Fig. 5 is the flow chart of the step for upgrading at least one evidence value illustrated according to one or more example implementation.

Fig. 6 is the block diagram representing the unrestricted networked environment of example, wherein can realize various embodiment described herein.

Fig. 7 represents the unrestricted computing system of example of one or more aspects that wherein can realize each embodiment described herein or the block diagram of operating environment.

describe in detail

The each side of technology described herein relates generally to minimum disclosure credential verification as promoted by the assembly of identity management system and/or other hardware/softwares mechanism/cancel.As described in this article, be called that an exemplary components of issuer is issued the voucher of encoding to attribute data and is provided for other data of the object of the authenticated user when performing online transaction herein.Another exemplary components comprises credential verification mechanism or verifier, and it is configured to various code data to be applied to and is configured to confirm that given minimum disclosure voucher non-cancels assembly (signature such as, can verified or present proof).In one aspect, minimum disclosure voucher is based on cryptography scheme, and this cryptography scheme is configured to allow user access services supplier and/or initiate online transaction, keeps anonymous simultaneously and can not the person of being awarded and verifier follow the trail of.

Cryptography scheme can adopt various code data, comprises the cryptographic key (such as private cipher key) can specified from Prime Orders password population spikes (the Prime Orders multiplication loop subgroup of such as integer) or another verifier constructing stochastic generation (such as elliptic curve group).Such structure can comprise the standardized password population spikes following Diffie-Hellman hypothesis.Standardized password group refers generally to the mechanism that is standardized (such as, Federal Information Processing Standards (FIPS) 186-3 and American National Standards Institute (ANSI) (ANSI) X9.62) generate and the swarm parameter arranged, it can be used to issue voucher.Exemplarily illustrate, national standard and Institute for Research and Technology (NIST) are provided for the example embodiment of several standardized password group.Alternatively, code data can comprise the inquiry value that verifier generates, and it is also the element of Prime Orders password population spikes (comprising the Prime Orders additive subgroup of integer).This structure can be fabricated when not needing any things of the Bilinear Pairing that can be considered between the subgroup of integer, and alternatively, can based on discrete logarithm group.

Except issuing and verifying, identity management system also comprises cancels authoritative institution, this is cancelled authoritative institution and calculates accumulator and this accumulator can be used, this accumulator represents at least one reversed user identifier (such as according to one or more example implementation, blacklist) or at least one validated user identifier (such as, white list).Accumulator refers generally to the value based on prime order subgroup structure, and this value can represent ISP and calculate to confirm that the non-of voucher cancels state for using the Designated-Verifier of privately owned code data (the privately owned cryptographic key that all verifiers as described in this article specify).After selecting to be used for the cumulative attribute do not disclosed, cancel cryptographic key that authoritative institution can use verifier to specify to calculate the evidence of accumulator and this attribute, this attribute can be called as in this article cancels attribute, and its membership qualification in accumulator or non-member qualification refer to being cancelled of this voucher respectively or do not cancelled state.

In an example implementation, third party Identity Provider representative of consumer generates unique user identifiers, uses when issuing and cancelling state with the voucher of authentication of users non-for identity management system.Note, identity management system may know this unique user identifiers, but may not know other data any of this user of mark, the name of such as user.Therefore, by unique user identifiers being encoded to the voucher of the attribute do not disclosed through signature, user's computing equipment can initiate the transaction with ISP, keeps anonymous simultaneously or only discloses the information of inappreciable amount.Operate in being known in user's computing equipment and non-ly cancel assembly for the assembly of certifier generates, it at least comprises and presents proof, for verifying that this unique user identifiers is proper and therefore voucher is effective and unrepealed.The inquiry generated by the cryptographic key of verifier being specified or verifier is applied to and presents proof, and verifier determines whether voucher is cancelled.

The inquiry generated except the cryptographic key of specifying via verifier or verifier, to prove except non-cancelling, presents and proves for multiple fail safe object (such as proving integrality and the source authenticity of the attribute that the user be associated with presented voucher discloses) and establish user to have private cipher key for presenting/signing attribute and transactional related data.Example implementation can partly utilize the promise of voucher to generate for present the hashed value proving to compare.

Therefore, present proof and also can be called as the signature verified of specifying, its generally definition specially for user generate and the digital signature only can verified by secret.The signature that can verify allows for specific objective verifier but not anyone digital signature generates.

Should be appreciated that any example is herein all unrestriced.Therefore, the present invention is not restricted to any specific embodiment as herein described, aspect, concept, structure, function or example.On the contrary, any embodiment described herein, aspect, concept, structure, function or example are all nonrestrictive, can generally speaking to provide the various modes of benefit and advantage to use the present invention in calculating and computational security.

Fig. 1 explains orally the block diagram according to the example identity management system of one or more example implementation.An exemplary components of identity management system comprises certifier 102, this certifier 102 is configured to representative of consumer and obtains safe minimum disclosure voucher to issuer 104, and then initiates the checking request for certain ISP be associated with this user for verifier 106.Issuer 104 generally refers to that the authority for the encrypted message (comprising public/privately owned cryptographic key and security credence) of the subscriber computer managed by identity management system originates.The certifier 102 operated on example user computer provides various data to issuer 104, and these various data, once certified, are just also returned as the security attribute data be embedded in safe minimum disclosure voucher 108 by coding.For clearly object, minimum disclosure voucher 108 can be called as voucher 108 in this article.Minimum disclosure voucher 108 can be stored in equipment (such as, smart card, mobile phone or line server).

Verifier 106 refers generally to the trusted hardware/software mechanism run in the computing equipment providing various service.Verifier 106 can use various mechanism to perform credential verification and to cancel.As an example, verifier 106 process from certifier 102 be configured to confirm that voucher 108 and/or the non-of any transaction be associated cancel assembly 110.

Voucher 108 can comprise encoded attribute data, such as identity data (such as, full name, social security number (SSN) and/or fellow), and other data various.Certifier 102 can safeguard other vouchers, wherein the different piece of each voucher encoded attributes, makes user optionally disclose privately owned and/or security information.As described in this article, voucher 108 comprises the encoded attribute do not disclosed, and except for those each side with key or function, this encoded attribute do not disclosed can not be deciphered and maybe can not identify.According to an example implementation, issuer 104 use various data for voucher 108 configures one or more public/private cipher key, the element of described various data such as another cryptographic key (it can be called as privacy key or private cipher key), encoded attribute data and/or Prime Orders cyclic group.

As described herein, if certain ISP of this user's request access, non-assembly 110 of cancelling is applied to the request that voucher 108 and/or other data determine to permit or refuse this user by verifier 106, keeps this user anonymity simultaneously.User can disclose voucher 108, and it can comprise sizable mathematical number or structure, and without the need to the tissue of the identity or user that disclose user or equipment.Voucher 108 comprises at least one unique identifier corresponding to user.

Issuer 104 and certifier 102 set up various parameter according to the Groups of Prime Orders structure not with Bilinear Pairing; And based on these parameters, issuer 104 or independently authoritative institution generates voucher 108, this voucher 108 has password according to the compatible format of an example embodiment and user data.

The example parameter set up between issuer 104 and certifier 102 comprises group structure is selected.If example parameter specifies subgroup structure, then group description (p, q, g) specify the subgroup of the Prime Orders q of the finite field of rank p.P and q be prime number both, the divisible p-1 of q, and g is generator (generator).Another example parameter is based on prime field on elliptic curve cipher art designated group structure, group description (p, a, b, g, q, h) specify finite field on elliptic curve, wherein p is prime number, a and b be definition this elliptic curve two field elements, g is the basic point (g of Prime Orders q on this curve _x, g _y) (and generator), q is this order of a group, and h is the cofactor of this curve.These population spikes can form the basis for generating standardized password group and primitive.

In order to an exemplary group is described structure, order be cyclic group, its rank are prime number q and its element can be represented as wherein i=0...q-1.Some in these elements refer to generator in this article, and this generator is configured to generate each group element, make for arbitrary i, for the group of Prime Orders after this set is represented wherein it is the identity element of this group.Unless otherwise indicated, the calculating of middle element is assumed to be in modq.

Cyclic group an example implementation meet discrete logarithm (DL) and suppose, wherein for each probabilistic polynomial time (PPT) algorithm A (wherein ), be negligible with minor function for security parameters l.

Cyclic group another example implementation meet strong Diffie-Hellman (SDH) and suppose, it has been set forth, and generally do not exist can from tuple it is right to calculate (wherein ) probabilistic polynomial time (PPT) algorithm A.In addition, cyclic group meet strong Diffie-Hellman (SDH) to suppose, in this strong Diffie-Hellman (SDH) supposes, for each probabilistic polynomial time (PPT) algorithm A (wherein ), be insignificant with minor function:

Based on the one or both in these hypothesis, example system realizes at least two and cancels scheme based on accumulator.These schemes can comprise arbitrarily based on the scheme of Prime Orders password group.Be appreciated that the disclosure contemplate use replacement based on other hypothesis cancel scheme based on accumulator.Each scheme of cancelling provides the polynomial time of general dynamic accumulators and correspondence functional.Quite a large amount of binary strings is treated to and inputs and export parameters by an illustrative functions (such as, " Setup (setting) " function), and comprising will by the territory of element of adding up and/or supplementary.Parameters and a group element are treated to and input and return accumulator by another illustrative functions.Optionally, supplementary can be used to more efficiently calculate accumulator.Another group illustrative functions represent be configured to prove a certain element in fact in accumulator by the membership qualification proof system added up.Access to your password data 114, this group element and the attribute do not disclosed that is used as voucher 108 of illustrative functions calculates the membership qualification evidence proved for this.Also one group of illustrative functions represents non-member qualification proof system, and this non-member qualification proof system proves that a certain element is not added up in accumulator.

If exist its cost do not rely on for add user identifier to accumulator or from accumulator, remove user identifier and upgrade non-member qualification or membership qualification evidence the polynomial time function of the quantity of element that adds up, then accumulator is dynamic.These user identifiers represent one group of reversed voucher or one group of effective voucher.One or more example implementation of code data 114 comprise the code data being exclusively used in verifier, for calculating accumulator, upgrading accumulator and/or use non-assembly 110 of cancelling to determine voucher validity subsequently in response to certificate revocation.

Exemplarily, the realization not having central revocation authoritative institution is the following described, wherein be Prime Orders cyclic group and represent the inquiry to certifier 102 from verifier 106.Suppose that n element is accumulated to the accumulator representing reversed identifier, the identifier u in reversed identifier is not member and its evidence is defined as function f (x)=c (x) (x-u)+d according to the scheme of cancelling.Value u represents the non-identifier of cancelling the user of assembly 110 generating the non-member qualification of proof u in accumulator for its certifier 102.Value d represents remainder values.Certifier 102 calculates remainder d and function with coefficient a _i.Certifier 102 will promise to undertake C ₁be delivered to the coefficient of remainder d and function c (x) (wherein ) and receive as the inquiry returned certifier 102 can calculate cryptographic element A=g ^{f (x)}and specify this element for confirming not cancelling of voucher 108 for verifier 104.Alternatively, certifier 102 can receive this element from verifier.By using this element, certifier 102 generates u, d, a _i(i=0...n-1), r _u, r ₁, r ₂, r ₂' zero-knowledge proof, make wherein C _urepresent the promise to user identifier and C ₂represent the promise to function c (x), thus prove that user is not accumulated in the reversed identity of this group.

Example implementation comprises the cryptographic key that one or more verifier specifies, such as public keys with private cipher key δ, both equal authenticatees 106 and/or cancel authoritative institution 112 and safeguard.Usually, private cipher key integer and random group's generator multiplicative group, make K=H ^δ.Alternatively, H and G can with other issuer relating to parameters, such as H=g and/or G=g ₁.Private cipher key δ can randomly from middle generation.

Relate to according to one the example embodiment that U-proves cryptography scheme, issuing period, certifier 102 generating cipher key, the such as key of voucher 108 the public keys of the correspondence of voucher 108 comprises and is encoded as attribute x _ithe unique user identifiers x of one of (1≤i≤n) _id, the public keys of this correspondence is assessed as wherein for each property value of i...n be generated.In order to a certain identity is piped off, cancel authoritative institution and to add up x _id.In an exemplary realization, x _ididentifying user or tissue uniquely.

According to an example implementation, verifier 106 or the alternatively a certain agreement independently cancelled storage vault 116 that authoritative institution is provided for storing the information relevant with various cryptography scheme and also realize for the identity to third party (such as ISP) authentication of users without the need to disclosing this identity.As will be appreciated, this completes without the need to disclosing privately owned or security information (such as, social security number, credit number, intellectual property and/or password etc.) when.In an exemplary realization, thesaurus 116 comprises each mathematical number (such as, more than the numeral of 100 unitss) following certain known password principle.

Such as, thesaurus 116 comprises the encoded attribute be associated with at least one reversed user with blacklist form.These attributes can refer to the voucher through adding up of reversed user.Alternatively, thesaurus 116 comprises the voucher through accumulation of the validated user with white list form.Thesaurus 116 also comprises the bag of mathematical number, and when being applied to the corresponding part of voucher 108, the bag of this mathematical number realizes verifying for the secured user of ISP.

As cancelling the cumulative identifier be associated with at least one reversed user of verifier 106 of authoritative mechanism operation to create the value representing each member, it can be called as accumulator.According to some embodiment of the present disclosure, such value can exceed hundreds of units and form a part for blacklist.Similarly, the user identifier of at least one validated user can be added up and be formed white list.

As described in this article, if user is not the member of blacklist, or alternatively, if user is the member of white list, then non-one or more mathematical values of cancelling assembly 110 and comprising supplementary accumulator.These mathematical values can comprise one or more membership qualification/non-member qualification proof assembly, one or more evidence values and/or one or more commitment value etc.By using this one or more evidence value, certifier 102 generates and is used for while optionally disclosing some attribute, prove that membership qualification or the non-of non-member qualification cancel assembly 110.User retains will remain privately owned any information.In an example embodiment, user only transmits credential identifier, and does not transmit other attributes.

Non-ly cancel the digital signature that assembly 110 forms user on the proof of ownership of the private cipher key of certifier 112 and transactional related data, in this transactional related data, digital signature can be verified via the code data of verifier-specific.Thus, non-cancel assembly 110 take on transactional related data (such as, message) can certifying digital signature.In order to create the digital signature with voucher, the public keys that certifier 102 uses verifier to specify non-ly cancels assembly 110 to generate.Non-assembly 110 of cancelling also comprises the various code datas making verifier 106 can carry out certification digital signature in the following manner: the promise of Service Ticket is that the public keys using verifier to specify generates, and/or the evidence based on accumulator of Service Ticket is that the inquiry that the private cipher key that uses verifier to specify or verifier specify generates.

Optionally, issuer 104 can not use the mode of voucher to issue voucher 108 to certifier 102 with certifier 102 when not having the assistance of trusted device (such as, smart card, mobile phone or line server).Generally speaking; such equipment can be configured to the multiple vouchers effectively protecting an any amount issuer to issue; and dynamically (such as, at presentative time) represents issuer, verifier or third party and carrys out implementation strategy-and without the need to the privacy of sacrificing certifier 102 and without the need to mutual with issuer 104.

Fig. 2 explains orally the block diagram according to the exemplary protocols for credential verification of one or more example implementation.This example system is the replacement realization of the example system about Fig. 1 description.The each side related in this exemplary protocols comprises identity management system 202, ISP 204, user's computing equipment 206 and Identity Provider 208.Understand, any other side can be supplemented in any operation place of this exemplary protocols defined.

Identity management system 202 can be implemented as network or cloud computing resources, and wherein issuer 210 generates various code data, comprises the cryptographic key based on Prime Orders cyclic group and other cryptographic primitives.The exemplary architecture of identity management system 202 comprises liveId and azure ^tMactive (Active Directory), wherein trusted security token service (STS) authenticated user is also issued subsequently for accessing the voucher that other rely on service.Cancel authoritative institution by the verifier specified taken on for the cryptography scheme based on accumulator, verifier's character of specifying of trusted STS provides the privacy of another rank.An embodiment of identity management system 202 can be the Integration Services on network or cloud computing resources, such as azure ^tMactive federated service.

Identity management system 202 configuration verification mechanism (being called verifier 216 herein) is to represent ISP 204 authenticated user computing equipment.Identity management system 202 also can realize cancelling authoritative institution 212 for what manage the blacklist that comprises reversed and/or effective identifier respectively and/or white list.An example implementation of this exemplary protocols relate to cancel authoritative institution 212 one group of cryptographic key is assigned to each credential verification mechanism.

User adopts security credence technology optionally to disclose attribute information, and is still allowed the access to the service be associated with ISP 204.ISP 204 comprises various online (that is, internet) characteristic, and described characteristic adopts and cancels based on the identity of accumulator and verify the information protected and be stored in computer data.ISP 204 uses identity management system 202 to confirm for voucher in the following manner: by non-cancel component application to the voucher be associated with user to determine one group of reversed identity as described in this article or one group of effective identity arbitrary in membership qualification or non-member qualification.

In order to an example is described, Identity Provider 208 comprises license department, and this license department uses various user data to generate at least one voucher and this at least one voucher is presented to user.As described in this article, each voucher comprises the various combination of attribute, and attribute is identification numbers (VIN), automaker/model, credential identifier, owner's name and/or driver license number etc. such as.Depend on that user expects to disclose which attribute (if there is), license department configures effective voucher with only having the coding of these attributes.Identity Provider 208 makes to cancel authoritative institution 212 can cancel this voucher based on the feature of the validated user identifier be embedded within as attribute in voucher.Once be cancelled, be associated with this voucher public/private cipher key is to can not again be used.

As depicted in figure 2, an example implementation of exemplary protocols performs the sequence at least operated, and wherein each operation corresponds to particular order time point.The label of each operation be the sequence location representing this operation add number of turns word.

In operation one (1), when the assembly being called as issuer 210 generates the parameters data comprised for the protection of the code data of user data, identity management system 202 starts this exemplary protocols.Generate parameters and cause the hashing algorithm of safety on the identifier for issuing voucher etc. (such as, the identifier of application specific), password, any combination of public/private cipher key.

According to an example implementation, cancel authoritative institution 212 randomly from Groups of Prime Orders middle generation private cipher key δ also specifies private cipher key δ for credential verification.Be appreciated that private cipher key δ can be called privately owned (password) key 214 that verifier specifies by the disclosure, vice versa.Cancel key 214 that authoritative institution 212 provides verifier to specify to verifier 216 to perform credential verification.As described in this article, credential verification can relate to determines non-member qualification in blacklist or white list or membership qualification respectively, and wherein blacklist represents that one group of reversed user identity and/or white list represent one group of validated user identity.If the identity of user is cancelled, then also cancelled based on any voucher of this identity and be regarded as invalid.

In operation two (2), unique identifier is assigned to the equipment of user and notifies the value of unique identifier to identity management system 202 by Identity Provider 208, and it can refer to the tissue of user or user.Issuer 210 is by embedded for the unique identifier attribute for not disclosing in voucher.As an example, issuer 210 adopts Cryptographic Hash Function calculate hashed value with unique identifier, what this hashed value represented that user can absorb to prove unique identifier non-ly cancels and obtains an instance attribute of the access to ISP 204.As another example, the value of unique identifier is converted to the binary coding of the signless integer with large end (big-endian) byte-orders by issuer 210, and it must be less than q using as multiplicative subgroup effective element.

In operation three (3), via user's computing equipment 206, user is to some voucher of Identity Provider 208 certification.In order to explain orally an example, this user is by using effective password to sign in in the web server that is associated with Identity Provider 208.In operation four (4), unique identifier code is the voucher of the attribute do not disclosed and is stored in user's computing equipment 206 by this voucher by user's reception.Optionally, this voucher can be stored in and be coupled in the trusted device of separating of user's computing equipment 206.

The assembly being called as certifier 220 in this article of user's computing equipment 206 is configured to use effective voucher to obtain the access to ISP 204.Relate to the example embodiment of U-evidence voucher according to one, certifier 220 generates private cipher key randomly and use the public keys of issuer 210 to calculate public keys wherein attribute x _ione of encoding user identifier x _id.The mould multiplication inverse (modularmultiplicativeinverse) of public keys makes public keys randomization.

According to an example implementation, suppose for user identifier x _idexample cancel attribute and correspond to and want reversed voucher, cancel authoritative institution 212 and select this user identifier for cancel and by x _idbe added in accumulator 218.User identifier x _idarbitrary object can be represented; In order to several examples being described, x _idvoucher, user or tissue can be identified uniquely.

Cancelling authoritative institution 212 uses the q identical with issuer 210 to produce the accumulator 218 of the private cipher key 214 that the one or more component with public keys pka and verifier specify.In an example implementation, cancel authoritative institution 212 and comprise the blacklist representing at least one reversed identifier or the white list alternatively representing at least one effective identifier.Cancel authoritative institution 212 available signatures to announce this blacklist and/or white list, or alternatively, this blacklist and/or white list are remained secret.If signed, arbitrary people with public keys can confirm the blacklist/white list through signature.

The private cipher key 214 that the value comprising evidence 222 is specified by use verifier calculates and is sent to user, user identifier x in this value determination accumulator 218 _idmembership qualification or non-member qualification.From that time, when being changed based on the history of accumulator value by the list that adds up, user's this evidence renewable.As described in this article, accumulator 218 and evidence 222 is used to generate proof 224 so that the identity of authentication of users is not cancelled and therefore, the voucher of user is effective.Prove that 224 are included in ISP 204 (such as online vehicle auction web server) place and strengthen the non-member qualification proof of fail safe or membership qualification proves.Membership qualification proves user identifier x _idproved by cumulative.On the contrary, non-member qualification proof is to user identifier x _iddo not proved by cumulative.Based on the private cipher key 214 that proof 224 and verifier are specified, verifier 216 determines whether the identity of user is not cancelled and therefore voucher is effective.

In operation five (5), the authoritative institution 212 that cancels of identity management system 202 is updated periodically the blacklist of reversed identifier or includes the white list of effect identifier.In an example implementation, effective voucher is delivered to and cancels authoritative institution 212 by Identity Provider 208 and/or other Identity Provider, and at time point after a while, notifies to cancel authoritative institution 212 when these identity become and cancelled.

In order to an example implementation is described, for comprising one group of reversed identifier the blacklist of (wherein m≤k), uses expression formula accumulator 218 can be calculated in polynomial time.If effectively identifier white list but not blacklist be used, then can use identical expression formula in polynomial time, calculate accumulator 218, wherein δ is the private cipher key 214 that verifier specifies.

In operation six (6), user periodically obtains and non-ly cancels evidence from identity management system 202.These non-evidences of cancelling comprise from the value for calculating the unique identifier attribute of voucher.In one implementation, for the user identifier x not in blacklist _id, evidence 222 is marked as (W, d, Q) and uses expression formula calculate, thus prove x _idbe not accumulated in (then Q=W in V ^δ).If there are several members adding to blacklist or white list or delete, then identity management system is upgrading W completely, upgrades Q after d.

Adding in the example implementation be associated with member, when the new attribute x ' of reversed identifier is accumulated in accumulator 218, user identifier x _idfresh evidence (W ', d ', Q ') can be calculated as $(W^{\′}=$ $VW(x^{\′}-x_{id}),d^{\′}=d(x^{\′}-x_{id}),Q^{\′}=V^{\′}{W}^{\′-x_{id}}{P}^{-d^{\′}}),$ Wherein V ' is new for the value added up.For the realization relating to member deletion, when being removed by the attribute x ' added up, x _idfresh evidence (W ', d ', Q ') can be calculated as $(W^{\′}={\left(V^{\′-1}W\right)}^{\frac{1}{x^{\′}-x_{id}}},d^{\′}=\frac{d}{x^{\′}-x},Q^{\′}=V^{\′}{W}^{\′-x_{id}}{P}^{-d^{\′}}).$

In operation seven (7), user presents the evidence 222 of voucher and accumulator 218 to ISP 204 and proves 224.As described in this article, evidence 222 is used to generate and is stored in non-member qualification in proof 224 or membership qualification proves.For certain the value x in the voucher be not accumulated in accumulator 218 _id, prove this x _idfollowing formula is not equal to by cumulative:

Order and then Y=X ^δand last expression formula is equal to:

5 steps refer to for generating for x below _idpromise the example implementation of non-member qualification proof of validity, wherein u is arranged by following commitment scheme:

1. generate

2. calculate

$B:G^{k_0}{H}^{t_0}$

$X:{\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1};R:=G^{t_1}{H}^{t_2};S:=G^{d^{-1}}{H}^{t_3}$

$T_1:=G^{k_1}{H}^{k_2};T_2:=G^{k_7}{H}^{k_4}{R}^{-k_0};T_3:=G^{k_6}{H}^{k_3};T_4:=H^{k_3}$

$\mathrm{\Γ}:=X^{-k_0}{H}^{k_7}{K}^{k_1}{P}^{-k_5}$

3. calculate hash to address inquires to

4. calculate

r ₀：＝-cu+t ₀modq；s ₀：＝-cx _id+k ₀modq

foreachi∈{1，2，3}，s _i：＝-ct _i+k _imodq

s ₄：＝-ct ₂x _id+k ₄modq；s ₅：＝-cd+k ₅modq

s ₆：＝-cd ^-1+k ₆modq；s ₇：＝-ct ₁x _id+k ₇modq

s ₈：＝-ct ₃d+k ₈modq

Delete t ₀, t ₁, t ₂, t ₃, k ₀..., k ₈

5. return c, r ₀, s ₀..., s ₈, the proof generated of X, Y, R, S

First step in above step refers to middle generation random number (such as, integer), for the Prime Orders cyclic group of the rank q under addition. set for group in element be isomorphism.About second step, calculate in step 3 the object that hash addresses inquires to c, certifier 220 uses x _idpromise calculate group in multiple different mathematics element.By using user identifier x _id, certifier addresses inquires to c, commitment value and user identifier x based on hash _idcalculate one group of arithmetic number r ₀, s ₀..., s ₈.With element X, Y, R, S together, r ₀, s ₀..., s ₈set and hash are addressed inquires to c and are formed digital signature at least partially, thus allow user to prove the authenticity of promising to undertake, it means the identifier x of submission _idbe used to calculate evidence 222.

In above proof, T ₃, T ₄, s ₅, s ₆display d ^-1existence, d ≠ 0 thus.X _idpromise can change, so between ISP 204 and user's computing equipment 206 present agreement change.

Following five steps refers to for generating for x _idpromise one of non-member qualification proof replace and realize:

1. generate

2. calculate

$X:={\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1}$

$C_d:=P^d{G}^{t_2};C_x:=H^x{G}^{t_3}$

w：＝d ^-1modq；z：＝t ₁t ₃-t ₂modq；z′：＝-t ₂wmodq

$T_1:=X^{k_1}{\left(C_{x}K\right)}^{-k_2}{G}^{k_3}$

$T_2:=G^{k_1}{H}^{k_4}$

$T_3:=H^{k_1}{G}^{k_5}$

$T_4:={\left(C_d\right)}^{k_6}{G}^{k_7}$

3. calculate hash to address inquires to

4. calculate

s ₁：＝-cx+k ₁modq；s ₂：＝-ct ₁+k ₂modq

s ₃：＝-cz+k ₃modq；s ₄：＝-cu+k ₄modq

s ₅：＝-ct ₃+k ₅modq；s ₆：＝-cw+k ₆modq

s ₇：＝-cz′+k ₇modq

Deletion z, z ', t ₁, t ₂, t ₃, k ₁..., k ₇

5. return c, s ₁..., s ₇, X, Y, C _x, C _dthe proof generated

Following five steps refers to for generating for x _idpromise non-member qualification proof another replace realize:

1. generate

2. calculate

$X:={\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1}$

$C_d:=P^d{G}^{t_2},$

w：＝d ^-1modq；z：＝t ₁u-t ₂modq；z′：＝-t ₂wmodq

$T_1:=X^{k_1}{\left(CK\right)}^{-k_2}{G}^{k_3}$

$T_2:=H^{k_1}{G}^{k_4}$

$T_3:={\left(C_d\right)}^{k_5}{G}^{k_6}$

3. calculate hash to address inquires to

4. calculate

s ₁：＝-cx+k ₁modq；s ₂：＝-ct ₁+k ₂modq

s ₃：＝-cz+k ₃modq；s ₄：＝-cu+k ₄modq

s ₅：＝-cw+k ₅modq；s ₆：＝-cz′+k ₆modq

Deletion z, z ', t ₁, t ₂, k ₁..., k ₆

5. return c, s ₁..., s ₆, X, Y, C _dthe proof generated

In operation eight (8), ISP 204 is by voucher and prove that 224 are delivered to identity management system 202 for checking.According to an example implementation, cancel authoritative institution 212 by using, verifier 216 determines that voucher is not the member of the blacklist comprising reversed identifier.If voucher is misapplied in some way, then voucher can be cancelled and user identifier can be accumulated to represent at least one reversed identifier accumulator 218 in.In arbitrary realization, cancel authoritative institution 212 and use at least one attribute from the reversed voucher of identity of its user each to calculate accumulator 218.

In order to produce evidence 222, cancelling authoritative institution 212 and using accumulator 218, formed voucher basis Prime Orders cyclic group generator and be presented to verifier 216 public/private cipher key pair.Accumulator 210 and evidence 222 can be supposed based on strong Diffie-Hellman.In another example implementation, certifier 220 calculates the value of evidence 222.

Two steps illustrate the promise of the verifier 216 in wherein identity management system 202 for x below confirm to be labeled as c, r ₀, s ₀..., s ₈, an exemplary realization of the blacklist non-member qualification proof of X, Y, R, S:

1. calculate

$B:=C^{s_0}{H}^{r_0}{C}^c$

$T_1:=G^{s_1}{H}^{s_2}{R}^c;T_2:=G^{s_7}{H}^{s_4}{R}^{-s_0};$

$T_3:=G^{s_6}{H}^{s_3}{S}^c;T_4:=G^{-c}{H}^{s_8}{S}^{-s_5};$

$\mathrm{\Γ}:=X^{-s_0}{H}^{s_7}{K}^{s_1}{P}^{-s_5}{\left(V^{-1}Y\right)}^c$

2. verify

Y＝ _？X ^δ

Two steps illustrate that verifier 216 in wherein identity management system 202 is for x below _idpromise come confirm to be labeled as c, s ₁..., s ₇, X, Y, C _x, C _done of blacklist non-member qualification proof replace exemplary realization:

1. calculate

$T_1:={\left({\mathrm{VY}}^{-1}{\left(C_d\right)}^{-1}\right)}^c{X}^{s_1}{\left(C_{x}K\right)}^{s_2}{G}^{s_3}$

$T_2:=C^c{G}^{s_1}{H}^{s_4}$

$T_3:={\left(C_x\right)}^c{H}^{s_1}{G}^{s_5}$

$T_4:=P^c{\left(C_d\right)}^{s_6}{G}^{s_7}$

2. verify

Two steps illustrate that verifier 216 in wherein identity management system 202 is for x below _idpromise confirm to be labeled as c, s ₁..., s ₆, X, Y, C _dblacklist non-member qualification proof second replace exemplary realization:

1. calculate

$T_1:={\left({\mathrm{VY}}^{-1}{\left(C_d\right)}^{-1}\right)}^c{X}^{s_1}{\left(CK\right)}^{-s_2}{G}^{s_3}$

$T_2:={\left(C\right)}^c{H}^{s_1}{G}^{s_4}$

$T_3:=P^c{\left(C_d\right)}^{s_5}{G}^{s_6}$

2. verify

Y＝ _？X ^δ

First step being labeled as " calculating " relates to the value extracted from proof 224 and comprise hash inquiry c, and calculates the mathematics element of Prime Orders cyclic group based on extracted value.The Part I be labeled as in the second step of " checking " usually calculates hashed value based on the mathematics unit calculated during first step, and this hashed value and hash are addressed inquires to c compare the authenticity determining user's computing equipment 206, and without the need to understanding the identity of user.The Part II of fail safe step determines whether key δ that verifier specifies is used to calculate the evidence 222 of voucher.If so, then verifier 216 can assure to ISP 204 with regard to the validity of voucher, and without the need to disclosing the identity of user.

For wherein prove 224 be white list membership qualification prove embodiment, use for the x in the effective voucher of this group of accumulator 218 _idexpression formula calculate member's certification according to (W, Q).Thus, (W, Q) is instruction x _idbe accumulated in the evidence in V, wherein Q=W ^δ.

When member to be added for white list or to delete, identity management system 202 only upgrades Q after upgrading W completely.Member add an exemplary realization in, when new voucher x ' by cumulative time, x _idfresh evidence (W ', Q ') can be calculated as wherein V ' is new accumulated value.In an exemplary realization of member deletion, when cumulative voucher x ' is removed, x _idfresh evidence (W ', Q ') can tuple be calculated as $(W^{\′}={\left(V^{\′-1}W\right)}^{\frac{1}{x^{\′}-x_{id}}},Q^{\′}=V^{\′}{W}^{\′-x_{id}}).$

For generating cumulative x _idmembership qualification prove, calculating or upgrade x _idevidence (W, Q) after, prove x _idfollowing formula is equal to by cumulative:

By specifying with then Y=X ^δ, and above expression formula can be reduced to: due to x _idthe change of compatible commitment scheme, also change so present agreement.Four steps illustrate for x below _idpromise example white list membership qualification prove to generate:

1. generate and calculate

$B:=G^{k_0}{H}^{t_0}$

$X:{\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1};R:=G^{t_1}{H}^{t_2}$

$T_1:=G^{k_1}{H}^{k_2};T_2:=G^{k_3}{H}^{k_4}{R}^{-k_0};\mathrm{\Γ}:=X^{-k_0}{H}^{k_3}{K}^{k_1}$

2. calculate hash to address inquires to

3. calculate

r ₀：＝-cu+t ₀modq；s ₀：＝-cx _id+k ₀modq

foreachi∈{1，2}，s _i：＝-ct _i+k _imodq

s ₃：＝-ct ₁x _id+k ₃modq；s ₄：＝-ct ₂x _id+k ₄modq

Delete t ₀, t ₁, t ₂, k ₀..., k ₄

4. generate membership qualification to prove

c，r ₀，s ₀，...，s ₄，X，Y，R

Four steps illustrate for x below _idpromise one replace white list membership qualification and prove to generate:

1. generate and calculate

$X:={\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1}$

$C_x:=H^x{G}^{t_2}$

z：＝t ₁t ₂modq

$T_1:=X^{k_1}{\left(C_{x}K\right)}^{-k_2}{G}^{k_3}$

$T_2:=G^{k_1}{H}^{k_4}$

$T_3:=H^{k_1}{G}^{k_5}$

2. calculate hash to address inquires to

3. calculate

s ₁：＝-cx+k ₁modq；s ₂：＝-ct ₁+k ₂modq

s ₃：＝-cz+k ₃modq；s ₄：＝-cu+k ₄modq

s ₅：＝-ct ₂+k ₅modq

Delete z, t ₁, t ₂, k ₁..., k ₅

4. generate membership qualification to prove

c，s ₁，...，s ₅，X，Y，C _x

Four steps illustrate for x below _idpromise one replace white list membership qualification and prove to generate:

1. generate and calculate

$X:={\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1}$

z：＝t ₁umodq

$T_1:=X^{k_1}{\left(CK\right)}^{-k_2}{G}^{k_3}$

$T_2:=H^{k_1}{G}^{k_4}$

2. calculate hash to address inquires to

3. calculate

s ₁：＝-cx+k ₁modq；s ₂：＝-ct ₁+k ₂modq

s ₃：＝-cz+k ₃modq；s ₄：＝-cu+k ₄modq

Delete z, t ₁, t ₂, k ₁..., k ₄

4. generate membership qualification to prove:

c，s ₁，...，s ₄，X，Y

Two steps illustrate that verifier 216 in wherein identity management system 202 is by for promise below checking is being labeled as c, r ₀, s ₀..., s ₄, the value provided in the white list membership qualification proof of X, Y, R is to confirm voucher x _idan exemplary realization:

1. calculate

$B:=G^{s_0}{H}^{r_0}{C}^c$

$T_1:=G^{s_1}{H}^{s_2}{R}^c;T_2:=G^{s_3}{H}^{s_4}{R}^{-s_0};$

$\mathrm{\Γ}:=X^{-s_0}{H}^{s_3}{K}^{s_1}{\left(V^{-1}Y\right)}^c$

2. verify

Y＝ _？X ^δ

First step being labeled as " calculating " relates to the value extracted from proof 224 and comprise hash inquiry c, and calculates the mathematics element of Prime Orders cyclic group based on extracted value.The Part I be labeled as in the second step of " checking " usually calculates hashed value based on the mathematics unit calculated during first step, and this hashed value and hash are addressed inquires to c compare the authenticity determining user's computing equipment 206, and without the need to understanding the identity of user.Hashed value compares determines x _idpromise whether by using user identifier x _idbut not junk data comes by Practical Calculation.The Part II of fail safe step determines whether the key δ that verifier specifies is used to calculate user identifier x _idevidence 222.

Two steps illustrate that verifier 216 in wherein identity management system 202 is by for promise below checking is being labeled as c, s ₁..., s ₅, X, Y, C _xwhite list membership qualification prove in the value that provides to confirm that one of voucher is replaced exemplary realization:

1. calculate

$T_1:={\left({\mathrm{VY}}^{-1}\right)}^c{X}^{s_1}{\left(C_{x}K\right)}^{s_2}{G}^{s_3}$

$T_2:=C^c{G}^{s_1}{H}^{s_4}$

$T_3:={\left(C_x\right)}^c{H}^{s_1}{G}^{s_5}$

2. verify

Y＝ _？X ^δ

Two steps illustrate that verifier 216 in wherein identity management system 202 is by for promise below checking is being labeled as c, s ₁..., s ₄, the value provided in the white list membership qualification proof of X, Y is to confirm that second of voucher replaces exemplary realization:

1. calculate

$T_1:={\left({\mathrm{VY}}^{-1}\right)}^c{X}^{s_1}{\left(CK\right)}^{-s_2}{G}^{s_3}$

$T_2:=C^c{H}^{s_1}{G}^{s_4}$

2. verify:

Y＝ _？X ^δ

Fig. 3 explains orally the flow chart for using minimum disclosure voucher to initiate the exemplary step of transaction while keeping anonymity according to one or more example implementation.In one implementation, exemplary step is performed by various hardware and/or software, the certifier 102 of all Fig. 1 as described in this article.

The step described in Fig. 3 starts from step 302 and proceeds to step 304, and reason uses the voucher that standardized password group builds herein.Exemplarily illustrate, national standard and Institute for Research and Technology (NIST) are provided for the example embodiment of several password group.One or more Credential parameters (such as public code key) can generate with/without any Bilinear Pairing and/or based on discrete logarithm.Such as, group's generator of Prime Orders finite field subgroup or elliptic curve and the private cipher key that generated by the additive subgroup of integer is used to calculate public code key.Two subgroups all have identical rank and/or mutual isomorphism.Some example embodiment do not adopt Bilinear Pairing to realize credential verification and to cancel.Owing to lacking central authority, instantiation can be carried out by the mode of more self-organizing in standardization password subgroup, and it allows cryptographic key or inquiry value to keep maintaining secrecy to other computing equipments except the verifier specified.

The following describe wherein represent by element one or more example implementation of the standardized password cyclic group (its rank are prime number q) generated.The private cipher key that verifier specifies generates for accumulator and is marked as k=H ^δvalue also calculated.For being by the corresponding domain of the element added up the public keys of accumulator is group any group that rank q can be the standardized group of any NIST or be used by suitable cryptography scheme.

With reference to proving with U-the example embodiment that cryptography scheme is associated, certifier receives at least following information from identity management system during agreement issued by voucher:

Issuer parameter field:

The Ordered indices of the attribute disclosed:

The Ordered indices of the attribute do not disclosed: U={1 ..., n}-D

The Ordered indices of the attribute submitted to:

Message: m ∈ { 0,1} ^*

U-evidence voucher:

Private cipher key:

Property value: (A ₁..., A _n) ∈ { 0,1} ^*

Accumulator public keys

Evidence: (W, d, Q)

Be appreciated that U-proves that cryptography scheme is an example embodiment and other cryptography schemes can adopt privately owned code data to confirm the non-proof cancelled of voucher.Step 306 checks the attribute data of voucher and mark comprises unique user identifiers x _idattribute is cancelled, this unique user identifiers x at interior _idthere is the form of clear data (such as, integer) or there is this group property value { A of encoded data (such as, hashed value) form ₁..., A _nin member.By using unique user identifiers x _id, step 306 generates the non-evidence value cancelled being used for evidence voucher.Blacklist/the white list of the announcement of the accumulator comprised through signature can be used to calculate evidence value.Alternatively, certifier can cancel evidence value (W, d, Q) from the authoritative institution that cancels of identity management system to receive the non-of voucher.

Step 308 is based on the public keys element of accumulator calculate for user identifier x _idpromise.Calculating promise by these public keys elements being applied to secret value (all unique identifiers as described in this article), making promise not only be tied to secret value but also hide secret value.The public keys element of accumulator can be set as G:=g and H:=g ₁, wherein g, g ₁extract from issuer parameter.Alternatively, H and G can be set to H=g and/or G=g ₁, or be selected randomly.

Step 310 represents that transaction prepares and present to prove to generate.Be appreciated that except the validity of evidence voucher, present the integrality of the related news that prove can be used to conclude the business to service provider authentication.For as follows in an example embodiment of the promise presenting raw paired attributes in proof:

For each

i∈C

From generate

${\tilde{o}}_i,{\tilde{w}}_i$

${\tilde{c}}_i:=g^{x_i}{g}_1^{{\tilde{o}}_i}$

Do not disclose but the property index i submitted to, from subgroup for each middle generation random value and random value then be used to calculate and promise to undertake and hashed value

Below relate to an example implementation of the inquiry value of the promise for generating the identifier for authentication of users:

r ₀：＝cα ^-1+w ₀modq

For each i ∈ U, r _i:=-cx _i+ w _imodq

Presenting the voucher with at least one promise and a vacancy allows user to pass through user identifier x while realization checking _idremain secret and access online service anonymously.Authentication of users identifier x _idrelate to the checking to the cryptographic hash inquiry that the person of being proved to be and verifier independently calculate.

Example implementation can proceed to next group operation:

For each i ∈ C, ${\tilde{r}}_i=-c{\tilde{o}}_i+{\tilde{w}}_i\mathrm{mod}q$

Delete

Generate random

$B:=g^{k_0}{g}_1^{t_0}$

$X:={\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1};R:=G^{t_1}{H}^{t_2};S:=G^{d^{-1}}{H}^{t_3}$

$T_1:=G^{k_1}{H}^{k_2};T_2:=G^{k_7}{H}^{k_4}{R}^{-k_0};T_3:=G^{k_6}{H}^{k_3}$

$T_4:=H^{k_3}{S}^{-k_5};\mathrm{\Γ}:=X^{-k_0}{H}^{k_7}{K}^{k_1}{P}^{-k_5}$

Calculate hash

Calculate $r^{\′}:=-c^{\′}{\tilde{o}}_{id}+t_0\mathrm{mod}q;s_0:=-c^{\′}{x}_{id}+k_0\mathrm{mod}q$

For each i ∈ { 1,2,3}, s _i:=-c ' t _i+ k _imodq

s ₄：＝-c′t ₂x _id+k ₄modq；s ₅：＝-c′d+k ₅modq

s ₆：＝-c′d ^-1+k ₆modq；s ₇：＝-c′t ₁x _id+k ₇modq

s ₈：＝-c′t ₃d+k ₈modq

Delete t ₀, t ₁, t ₂, t ₃, k ₀..., k ₈

According to above description, certifier calculates and corresponds to user identifier x in C _idsubmission and the response r ' of the attribute do not disclosed.Calculate an example response value r ' can relate to based on corresponding to user identifier x _idpromise come that c ' is addressed inquires to hash and perform conversion.Certifier uses hashed value c ' and corresponds to the vacancy of user identifier xid when calculated response value r '

According to an example implementation, certifier uses in numeral, the hashed value c ' and user identifier x of one group of stochastic generation _idbased on comprising signature element s ₀..., s ₈various mathematical number is calculated at interior Prime Orders cyclic group structure.At least some in these numerals is assembled into the assembly presenting proof being passed to ISP in step 312 by certifier.Below describe certifier be delivered to ISP for checking present prove and to user identifier x _idthe example embodiment of promise:

Present proof:

${\left\{A_i\right\}}_{i\∈D},r_0,{\left\{r_i\right\}}_{i\∈U},{\left\{({\tilde{c}}_i,{\tilde{a}}_i,{\tilde{r}}_i)\right\}}_{i\∈C}$

c′，r′，s ₀，...，s ₈，X，Y，R，S

Commitment value:

Replacement blacklist non-member qualification proof described herein can be used to construct other embodiments.

Mechanism as an alternative, white list may need one group of different operations to generate elaboration user identifier x _idmembership qualification (and setting forth its validity thus) present proof.Below represent the user identifier x for it _idbe accumulated to an example embodiment of one group of such operation of the minimum disclosure voucher in the white list with evidence (W, D):

For each i ∈ C, ${\tilde{r}}_i:=-c{\tilde{o}}_i+{\tilde{w}}_i\mathrm{mod}q$

Delete

Generate random

$B:=g^{k_0}{g}_1^{t_0}$

$X:{\mathrm{WH}}^{t_1};Y:={\mathrm{QK}}^{t_1};R:=G^{t_1}{H}^{t_2}$

$T_1:=G^{k_1}{H}^{k_2};T_2:=G^{k_7}{H}^{k_4}{R}^{-k_0}$

$\mathrm{\Γ}:=X^{-k_0}{H}^{k_3}{K}^{k_1}$

Calculate hash

Calculate $r^{\′}:=-c^{\′}{\tilde{o}}_{id}+t_0\mathrm{mod}q;s_0:=-c^{\′}{x}_{id}+k_0\mathrm{mod}q$

For each i ∈ { 1,2}, s _i:=-c ' t _i+ k _imodq

s ₃：＝-c′t ₁x _id+k ₃modq；s ₄：＝-c′t ₂x _id+k ₄modq

Delete t ₀, t ₁, t ₂, k ₀..., k ₄

Step 312 relate to by voucher, present proof and commitment value be delivered to ISP in case initiate transaction.Obtain from above operation and be returned to presenting proof and can being defined as follows of ISP:

Present proof:

${\left\{A_i\right\}}_{i\∈D},a,r_0,{\left\{r_i\right\}}_{i\∈U},{\left\{({\tilde{c}}_i,{\tilde{a}}_i,{\tilde{r}}_i)\right\}}_{i\∈C}$

c′，r′，s ₀，...，s ₄，X，Y，R

Commitment value:

Replacement white list membership qualification described herein can be used to prove to construct other embodiments.

Once user identifier x _idbe white list member or blacklist non-member by confirming voucher and presenting that proof is verified as, ISP just completes transaction and returns any related data to certifier.Step 314 stops the exemplary step that Fig. 3 describes.

Fig. 4 is the flow chart that the exemplary step for controlling the access to ISP is shown according to one or more example implementation.In one implementation, exemplary step is performed by various software and/or hardware, the verifier 106 of all Fig. 1 as described in this article.

Access control can relate to non-ly cancels the validity that assembly carrys out validating documents by being applied to by verifier-specific code data, such as based on the mathematical proof of the Prime Orders cyclic group structure such as using standardized discrete logarithm password group to build.Mathematical proof can be called as in this article and present proof.Present proof (such as membership qualification proves or non-member qualification proof) general by authentication of users identifier x _idbe not accumulated in the blacklist representing reversed voucher or be accumulated in and represent that the white list Zhong Lai evidence voucher of effective voucher is non-and cancel, and without the need to understanding user identifier x _idvalue.

The step described in Fig. 4 starts from step 402 and proceeds to step 404 when receiving voucher, and this voucher is attended by the proof of the voucher in this voucher.Except voucher and present except proof, verifier's access cancels state from the non-of verifier-specific code data voucher for confirmation of cancelling authoritative institution.Below represent one group of example input parameter when cancelling scheme and U-and proving that cryptography scheme is combined:

Issuer parameter field:

The Ordered indices of the attribute disclosed:

The Ordered indices of the attribute do not disclosed: U={1 ..., n}-D

The Ordered indices of the attribute submitted to:

U-evidence voucher:

Message: m ∈ { 0,1} ^*

Present proof:

c′，r′，s ₀，...，s ₄，X，Y，R

Accumulator public keys

Current accumulation value V

As request access ISP, the supplier operated on the computing equipment of user presents voucher and proves for credential verification.In an exemplary realization, before refusal or permission access, which attribute ISP and user consult will disclose.Such as, ISP can adhere to some information comprising voucher.User and ISP can determine not have attribute want disclosed when user adopts voucher to confirm the request of user validating documents.

Once received, verifier performs sequence of operations to verify to present proves to determine membership qualification in accumulator or non-member qualification.Below represent that the wherein accumulator of such operation corresponds to an example embodiment of blacklist.

Present checking

x _t：＝ComputeXt(IP，TI)

For each i ∈ D, x _i:=ComputeXi (IP, A _i)

Checking

For each i ∈ C, checking

Calculate

$B:=g^{s_0}{g}_1^{r^{\′}}{\tilde{c}}_{id}^{c^{\′}}$

$T_1:=G^{s_1}{H}^{s_2}{R}^{c^{\′}};T_2:=G^{s_7}{H}^{s_4}{R}^{-s_0};$

$T_3:=G^{s_6}{H}^{s_3}{S}^{c^{\′}};T_4:=G^{-c^{\′}}{H}^{s_8}{S}^{-s_5};$

$\mathrm{\Γ}:=X^{-s_0}{H}^{s_7}{K}^{s_1}{P}^{-s_5}{\left(V^{-1}Y\right)}^{c^{\′}}$

Checking

Y＝ _？X ^δ

At least some during step 406 operates to step 410 with reference to these, but be appreciated that these operations can be modified to realize credential verification in other embodiments.Step 406 refers to use at least some proof assembly to calculate the value based on discrete logarithm password group.Step 408 refers to compare based on the hashed value of commitment value and suitable proof assembly.Step 410 illustrates that the privately owned cryptographic key that verifier specifies and Cryptographic Hash Function are to the application presenting proof.Step 412 refers to determine user identifier x _idmembership qualification in blacklist or non-member qualification, and step 414 refers to determine user identifier x _idmembership qualification in white list or non-member qualification.If present proof to comprise non-member qualification proof, then sequence of operations described above is performed.

On the other hand, comprise membership qualification prove if present proof, then perform step 414 and replace step 412, represented by following row operations.

Present checking

x _t：＝ComputeXt(IP，TI)

For each i ∈ D, x _i:=ComputeXi (IP, A _i)

Checking

For each i ∈ C, checking

Calculate

$B:=g^{s_0}{g}_1^{r^{\′}}{\tilde{c}}_{id}^{c^{\′}}$

$T_1:=G^{s_1}{H}^{s_2}{R}^{c^{\′}};T_2:=G^{s_3}{H}^{s_4}{R}^{-s_0}$

$\mathrm{\Γ}:=X^{-s_0}{H}^{s_3}{K}^{s_1}{\left(V^{-1}Y\right)}^{c^{\′}}$

Checking

Y＝ _？X ^δ

Step 416 represents with regard to voucher to be invalid or effectively to determine.According to an example implementation, if each proves that assembly can be verified, then voucher is effective, this is because the identity of voucher user is not cancelled and user can be granted ISP access.

If voucher is cancelled, then step 418 illustrates the refusal of the access to user.If voucher is effective, then step 420 illustrates the permission of the access to user.Step 422 stops the execution of the exemplary step that Fig. 4 describes.

Fig. 5 is the flow chart of the step for upgrading at least one evidence value illustrated according to one or more example implementation.The step described in Fig. 5 starts from step 502, and proceeds to step 504 when at least one evidence value is accessed.In one implementation, exemplary step is performed by various software and/or hardware, and all Fig. 2 as described in this article cancel authoritative institution 212.

To the calculating of at least one evidence value utilize by embedded be the unique user identifiers of cancelling attribute in voucher and the accumulator representing at least one reversed identifier or at least one effective identifier.In one implementation, this at least one voucher is effective, and this at least one user identifier is not accumulated in blacklist.In a further implementation, this at least one voucher is co-pending, and user completes transaction with previous voucher.Therefore, this at least one voucher is not effective.Authentication service has cancelled these vouchers and this at least one user identifier cumulative produce new accumulator.

Step 506 represents about in response to accumulator member interpolation or member deletion, whether upgrades the determination of this at least one evidence value.Accumulator can form a part for blacklist or white list.If do not have such interpolation or delete to occur, then the execution of these steps is waited in step 508 place.Once such interpolation or deletion occur, then at least one evidence value is updated to reflect new accumulator.Step 510 represents to accumulator interpolation member and calculates the realization of up-to-date evidence value.Step 512 represents from accumulator removing members and calculates the realization of up-to-date evidence value.

Step 514 represents comparing of at least one up-to-date evidence value and new accumulator.Step 514 is performed to verify that at least one evidence value complement is filled this new accumulator and proves that user identifier is not accumulated in blacklist.To ISP, this ensure that voucher is effective really.Alternatively, at least one evidence value proves that user identifier is accumulated in white list.Step 516 represents up-to-date evidence value is turned back to user.Step 518 represents the termination of exemplary step.

example networking and distributed environment

It will be appreciated by those skilled in the art that, each embodiment described herein and method can realize in conjunction with any computer or other client computer or server apparatus, it can be deployed as the part or in a distributed computing environment of computer network, and can be connected to the one or more data of any type and store.In this, each embodiment described herein can there is any amount of memory or memory cell and realize in any computer system of occurring across any amount of memory cell of any amount of application and process or environment.This includes but not limited to have the environment of server computer in the network environment or distributed computing environment (DCE) being deployed in and having long-range or local storage and client computer.

Distributed Calculation is exchanged by communication between computing equipment and system and provides sharing of computer resource and service.These resources and service comprise information exchange, for the high-speed cache storage of the object of such as file and so on and disk storage.These resources and the service disposal ability also comprised between multiple processing unit is shared to carry out load balance, resource expansion, process specialization etc.Distributed Calculation utilizes network to connect, thus allows client computer to utilize its collective power to be benefited to make whole enterprise.At this point, can have can as participated in the application of resource management mechanism, object or resource with describing with reference to various embodiments of the present invention for various equipment.

Fig. 6 provides exemplary networking or the schematic diagram of distributed computing environment (DCE).This distributed computing environment (DCE) comprises calculating object 610,612 etc. and calculating object or equipment 620,622,624,626,628 etc., and these calculating objects or equipment can comprise program, method, data storage, FPGA (Field Programmable Gate Array) etc. as represented by example application 630,632,634,636,638.Be appreciated that, calculating objects 610,612 etc. and calculating object or equipment 620,622,624,626,628 etc. can comprise different equipment, such as personal digital assistant (PDA), audio/video devices, mobile phone, MP3 player, personal computer, laptop computer etc.

Each calculating object 610,612 etc. and calculating object or equipment 620,622,624,626,628 etc. directly or indirectly communicate with other calculating objects 610,612 one or more etc. and calculating object or equipment 620,622,624,626,628 etc. by communication network 640.Although be illustrated as individual element in figure 6, the system that communication network 640 can comprise to Fig. 6 provides other calculating objects of service and computing equipment and/or can represent unshowned multiple interference networks.Each calculating objects 610,612 etc. or calculating object or equipment 620,622,624,626,628 etc. can also comprise application, realization that such as can utilize API or other objects, software, firmware and/or hardware, that be suitable for the application provided according to each embodiment of the present disclosure or carry out the application 630,632,634,636,638 that communicates with it.

There is various systems, assembly and the network configuration of supporting distributed computing environment (DCE).Such as, computing system can be linked together by wired or wireless system, local network or the network extensively distributed.Current, many networks are coupled to internet, and internet is that the calculating of extensively distribution provides the foundation structure comprise many different networks, but any network infrastructure all can be used for being convenient to the example communication with the system such as described in each embodiment.

Thus, numerous network topology structure and the network infrastructure of such as client/server, equity or mixed architecture and so on can be used." client computer " uses the member in it irrelevant another kind of or class of service of organizing or group.Client computer can be process, such as, be one group of instruction or the task of asking the service provided by another program or process haply.Client process uses the service of asking, and without the need to " knowing " any operational detail about other programs or service itself.

In client/server architecture, especially in networked system, client computer normally accesses the computer of the shared network resource that another computer (such as, server) provides.In the diagram of Fig. 6, as non-limiting example, calculating object or equipment 620, 622, 624, 626, 628 grades can be considered to client computer, and calculating object 610, 612 grades can be considered to server, wherein as the calculating object 610 of server, 612 etc. provide data, services, such as from client computes object or equipment 620, 622, 624, 626, 628 grades receive data, store data, deal with data, to client computes object or equipment 620, 622, 624, 626, 628 grades send data, but depend on environment, any computer all can be considered to client computer, server, or both.

Server is normally by the telecommunication network of such as internet or wireless network infrastructure and so on or the remote computer system of local network access.Client process can be movable in first computer system, and server processes can be movable in second computer system, and they are intercomed mutually by communication media, provide distributed functionality thus and allow multiple client computer to utilize the information gathering capability of server.

In the network environment of internet at communication network 640 or bus, such as, calculating object 610,612 etc. can be that other calculating objects or equipment 620,622,624,626,628 etc. are via any one Web server communicated with in the multiple known protocol of such as HTML (Hypertext Markup Language) (HTTP) and so on.Calculating objects 610,612 etc. also can be used as the client computer of such as calculating object or equipment 620,622,624,626,628 etc. as server, and the feature of distributed computing environment (DCE) is exactly like this.

example Computing Device

As mentioned above, advantageously, technology described herein can be applied to any equipment.Therefore, can understand, contemplate the hand-hold type of all kinds used in conjunction with each embodiment, portable and other computing equipment and calculating object.Therefore, described in the figure 7 below general purpose remote computer is an example of computing equipment.

Each embodiment can partly realize via operating system, and the developer of services for equipment or object uses, and/or is included in the application software of the one or more function aspects for performing described each embodiment herein.Software can describe in the general context of the computer executable instructions such as the such as program module performed by one or more computer such as such as client workstation, server or miscellaneous equipment etc.It will be apparent to one skilled in the art that computer system has the various configuration and agreement that can be used for transmitting data, and do not have customized configuration or agreement should be considered to restrictive thus.

Fig. 7 thus illustrates the example of the suitable computing system environment 700 of one or more aspects that wherein can realize each embodiment as herein described, although as mentioned above, computing system environment 700 is only an example of suitable computing environment and is not intended to propose any restriction to use or envelop of function.In addition, computing system environment 700 is not intended to be interpreted as there is any dependence to any one in assembly illustrated in example operating environment 700 or its combination yet.

With reference to figure 7, the exemplary remote device for realizing one or more embodiment comprises the universal computing device of computer 710 form.The assembly of computer 710 can include but not limited to: processing unit 720, system storage 730 and the various system components comprising system storage are coupled to the system bus 720 of processing unit 722.

Computer 710 generally includes various computer-readable medium, and can be any usable medium can accessed by computer 710.System storage 730 can comprise the such as volatibility of read-only memory (ROM) and/or random access memory (RAM) and so on and/or the computer-readable storage medium of nonvolatile memory form.Exemplarily unrestricted, system storage 730 also can comprise operating system, application program, other program modules and routine data.

User by input equipment 740 to computer 710 input command and information.The display device of monitor or other types is also connected to system bus 722 via the interface of such as output interface 750 and so on.In addition to the monitor, computer also can comprise other peripheral output devices of such as loud speaker and printer and so on, and they connect by output interface 750.

The logic that computer 710 can use other remote computers one or more (such as remote computer 770) is connected in networking or distributed environment and operates.Remote computer 770 can be personal computer, server, router, network PC, peer device or other common network node or any other remote media consumption or transmission equipment, and can comprise above about any or all of element described in computer 710.Logic shown in Fig. 7 connects the network 772 comprising such as local area network (LAN) (LAN) or wide area network (WAN) and so on, but also can comprise other network/bus.These networked environments are common in the computer network of family, office, enterprise-wide, Intranet and internet.

As mentioned above, although describe each exemplary embodiment in conjunction with various computing equipment and the network architecture, basic conception can be applied to wherein expecting improving any network system of the efficiency that resource uses and any computing equipment or system.

And, exist and realize same or similar functional multiple method, such as suitable API, tool box, driver code, operating system, control, independence or downloadable software object etc., they make application and service can utilize the technology provided herein.Thus, each embodiment is herein from the viewpoint of API (or other software objects) and from the software or the hardware objects conception that realize one or more embodiment as described in this article.Thus, described herein each embodiment can have adopt hardware completely, part adopts hardware and part adopts software and adopts the aspect of software.

Word used herein " exemplary " means as example, example or explanation.For avoiding feeling uncertain, theme disclosed herein is not limited to these examples.In addition, described herein be described to " exemplary " any aspect or design might not be interpreted as comparing other side or design more preferably or favourable, do not mean that yet and get rid of equivalent exemplary structure known to persons of ordinary skill in the art and technology.In addition, " comprise " with regard to using term, " having ", with regard to " comprising " and other similar words, for avoiding feeling uncertain, these terms to be intended to be similar to when term " comprises " in for claim as the mode of open transition word but inclusive, and do not get rid of any additional or other elements.

As described in, various technology described herein can combined with hardware or software or, in due course, realize with both combinations.As used herein, term " assembly ", " module ", " system " etc. are intended to refer to computer related entity equally, or hardware, the combination of hardware and software, software or executory software.Such as, assembly can be but the process being not limited to run on a processor, processor, object, can executive item, the thread of execution, program and/or computer.As explanation, the application run on computers and computer can be assemblies.One or more assembly can reside in the thread of process and/or execution, and assembly and/or can be distributed between two or more computer on a computer.

Aforementioned system is with reference to being described alternately between some assemblies.Be appreciated that these systems and assembly can comprise those assemblies or the sub-component of specifying, assembly that some is specified or sub-component and/or additional assembly, and according to the various displacement of foregoing and combination.Sub-component also can be used as the assembly being coupled to other assemblies communicatedly and realizes, instead of is included in parent component (layering).In addition, can notice that one or more assembly can be combined into the single component providing aggregation capability, or be divided into some independent sub-components, and such as any one or more intermediate layers such as management level can be provided to be coupled to such sub-component communicatedly to provide integrated functional.Any assembly described herein also can with not describe specially herein but generally known other assemblies one or more of those skilled in the art carry out alternately.

In view of example system as herein described, also the method that can realize according to described theme can be understood with reference to the flow chart of each accompanying drawing.Although in order to set forth for purpose of brevity, these methods are illustrated as and are described as a series of frame, but be appreciated that and understand each embodiment by the restriction of order of frame because some frames can from herein the different order describing and describe occur and/or occur concomitantly with other frames.Although show the flow process of non-sequential or branch via flow chart, be appreciated that can realize reaching identical or other branches various of similar results, flow path and frame order.In addition, the frame shown in some is optional when realizing method described below.

conclusion

Although the present invention is easy to make various amendment and replacing structure, its some illustrative embodiment is shown in the drawings and be described in detail above.But should understand, this is not intended to limit the invention to disclosed concrete form, but on the contrary, is intended to cover all modifications, replacing structure and the equivalents that fall within the spirit and scope of the present invention.

Except each embodiment described herein, be appreciated that, other similar embodiment can be used, or can modify described (all) embodiments and add to perform the identical or equivalent function of corresponding (all) embodiments and not deviate from these embodiments.In addition, multiple process chip or multiple equipment can share the performance of described one or more functions herein, and similarly, storage can realize across multiple equipment.Therefore, the invention is not restricted to any single embodiment, but will explain according to the range of appended claims, spirit and scope.

Claims (10)

1. the method performed at least one processor at least in part in a computing environment, described method comprises, process the checking request for access services supplier from user, described process comprises, access non-assembly of cancelling to ensure minimum disclosure voucher, wherein said non-assembly of cancelling uses to generate based on the scheme of Prime Orders password group, apply privately owned code data to confirm described non-cancel assembly and based on as by as described in non-cancel assembly determine as described in the validity of minimum disclosure voucher control to as described in the access of ISP.

2. the method for claim 1, is characterized in that, comprises further and checks that hashed value confirms for corresponding to the promise cancelling the user identifier of attribute be embedded in described minimum disclosure voucher.

3. the method for claim 1, it is characterized in that, control also to comprise to the access of ISP the membership qualification or non-member qualification of determining user identifier described in accumulator, described accumulator comprises at least one effective identifier or at least one reversed identifier respectively, and if described user identifier is the member of the described accumulator comprising at least one effective identifier described, then ISP described in instruction grants described checking request, if or described user identifier is the non-member of the described accumulator comprising at least one reversed identifier described, then ISP described in instruction refuses described checking request.

4. the method for claim 1, it is characterized in that, based on discrete logarithm, group generates inquiry, processes the evidence for the identifier using described inquiry to calculate, and verifies that the non-of described identifier is cancelled based on described evidence with to the promise of other parts be associated with described evidence.

5. the method for claim 1, it is characterized in that, apply privately owned code data also comprise by following verify generate for described minimum disclosure voucher present proof: use the elliptic curve structure of Prime Orders cyclic subgroup structure or described Prime Orders password group to carry out computational mathematics numeral and compare for the described assembly presenting proof.

6. the method for claim 1, it is characterized in that, apply privately owned code data also to comprise and use standardized password group to generate inquiry or verifier's cryptographic key of specifying, and the cryptographic key that described inquiry or described verifier are specified is applied to described non-assembly of cancelling to determine the validity of described minimum disclosure voucher.

7. an identity management system in a computing environment, described system comprises issuer, described issuer is configured to process the certified user data comprising user identifier from Identity Provider, Prime Orders password group is used to generate minimum disclosure voucher, using certified user data as attribute coding in described minimum disclosure voucher, wherein said identity management system also comprises cancels authoritative institution, the described non-verifier-specific code data of cancelling of cancelling authoritative institution and being configured to generate accumulator and calculate for determining described minimum disclosure voucher, wherein said accumulator represents at least one reversed user identity or at least one validated user identity.

8. system as claimed in claim 7, it is characterized in that, describedly cancel the cryptographic key that authoritative institution is further configured to use verifier to specify or the inquiry that the verifier generated from isomorphism additive subgroup generates to calculate described accumulator, the wherein said authoritative institution that cancels is further configured in response to member deletion or member's interpolation, uses described verifier-specific code data to upgrade described accumulator.

9. one or more computer-readable medium with computer executable instructions, described computer executable instructions performs following steps when being performed, and comprising:

Access minimum disclosure voucher and user identifier;

Use the evidence based on accumulator of described user identifier to generate and present proof, wherein said presenting proves to prove non-the cancelling of user identifier, and the wherein said evidence based on accumulator uses discrete logarithm password group to calculate; And

Present described in using prove and described minimum disclosure voucher initiate conclude the business.

10. one or more computer-readable medium as claimed in claim 9, is characterized in that, has the further computer executable instructions comprising and perform the following step:

Private cipher key is generated from multiplicative subgroup structure or elliptic curve structure; And

Use the attribute of described minimum disclosure voucher and described private cipher key to generate public keys, wherein said attribute comprises cancels attribute, described in cancel the attribute that do not disclose of attribute as the submission of described user identifier.